This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Box.com's Good Intentions Take a Bad Turn

Companies that use Box.com for storing and sharing data may be leaking sensitive information. Cybersecurity company Adversis recently announced that it had discovered a potential data leakage problem in the settings of file sharing company Box.com that left information like passport photos, Social Security and bank account numbers, technology prototype and design files, employee lists, financial data, customer lists, IT data and network diagrams exposed. Among the 90 affected companies were Apple, Schneider Electric, TV network Discovery, public relations firm Edelman and nutrition company Herbalife.

The problem stemmed from a change Box made to the way users can share files and folders via links, said storage expert George Crump of Storage Switzerland. Crump said that in an effort to make things more convenient, Box changed the way it creates links to make them more intuitive. In other words, the link became more descriptive. That’s great for companies and their users, but it also tells hackers what they are likely to access by clicking on a particular link.

Crump said that the blame should be shared by both Box and its customers. The main issue, Crump said, is that Box and other file sharing services have always allowed customers to choose the level of access controls based on the sensitivity of the files, but companies don’t always read the fine print. In other words, sensitive files were set to “public” when they should have been set to “private” or “people in your company.”

“If you have humans, you will have human error. That means companies have to take the initiative and protect the company,” he said. “Be careful of what you put out there. Have policies that detail what you can share, why you are sharing it, and how long you should share it.” Crump also recommended that companies proactively scan what’s being shared on an ongoing basis.

As for Box, the change it made to make the URLs more intuitive probably wasn’t a great idea, Crump said.

Box spokesman Denis Roy said in a statement that the company is taking steps to make settings clearer, to better help users understand how their files or folders can be shared, and to reduce the potential for content to be shared unintentionally, including both improving administrative policies and introducing additional controls for shared links.

Crump made it clear that while files were exposed, there has been no evidence of an actual breach.

“There is no evidence, but something could have happened months ago that nobody knows about,” he said. “It’s a warning to companies to read the fine print, think about what’s being shared, and be careful what you share.”